See the Graph Security API in Action at RSA Conference 2018

Today, Microsoft announced the public preview of their Microsoft Graph Security API. The security API enables a single point of programmatic access to aggregated security insights from Microsoft and partner security solutions, as well as business information from other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) that can add high-value context to threat analysis.

Palo Alto Networks has built a proof-of-concept application to demonstrate our ability to consume alerts from the Graph API, enrich those alerts with additional threat intelligence from AutoFocus, and send alert notifications to the Graph API. This information has the potential to provide security teams with a holistic view of their environment, and enable more coordinated policy updates, to ensure a consistent security posture across the security portfolio. We will be demonstrating a proof of concept for these use cases at the Microsoft Intelligent Security Graph demo station at RSA (booth 3501 in the Moscone North Exhibit Hall).

Because Context Matters

Traditional security approaches are suited to protect against known threats, and adversaries get around these defenses by making slight changes to existing exploits and attack vectors. Microsoft and Palo Alto Networks actively hunt to identify these variants, new attack profiles, and IPs (indicators of comprise and attacks, collectively) being used by bad actors for attacks, exfiltration, and command and control.

You can minimize your exposure to these attacks by blocking at the network layer, and we have built a proof of concept to show how we can both add this additional contextual information to any alerts surfaced through the security API and take action on those alerts to block the attacker IPs and domains across all of the Palo Alto Networks next-generation firewalls deployed in your environment.

For the demo, we will showcase an application that uses the security API to poll alerts from multiple security solutions – in this case, we’ll focus on an alert from Azure Security Center. The alert is enriched with additional information from Panorama and AutoFocus, and action is taken to block the threat across all of the firewalls deployed within the customer environment. For this scenario:

  1. Azure Security Center detects communication to a malicious IP address, likely a command-and-control center. The alert is surfaced in the Security Center, and our demo application via the security API.
  2. Our demo application then correlates the alert with logs from Panorama to determine whether this attack has been detected by a firewall. The application also queries AutoFocus, our threat intelligence service, to pull all of the information we know about that attack: the attacker, the family of this attack, indicators of compromise, and known IPs and domains used by these attackers for their activities.
  3. The demo application will then update the tags of the original alert, via the security API, with the threat intelligence from AutoFocus – sharing these added insights with other security products that integrate with the Graph.
  4. Finally, the demo application can then be used to block the malicious IPs associated with the attack. In the future, the security API will enable programmatic response, such as updating the policies on all your firewalls to block this traffic in the event they are not already configured to do so.

Today, you can create automated playbooks to update your firewall policies via Panorama based on Security Center alerts. In the future, this orchestration will be enabled via the security API across providers and consumers connected to the Graph.

Give Me More Data!

The logical next question is how to enable alerting from Palo Alto Networks firewalls to feed into the Intelligent Security Graph. We have also developed a Palo Alto Networks Provider as part of this proof of concept. Applications and services consuming alert data through the security API can access alerts from our firewalls via the API and this provider. This provider could be extended in the future to enable more functions from the Panorama API, such as to implementing policy updates and blocking.

There are two components for this proof of concept: a provider application that acts as the intermediary between Panorama and the security API, and the Microsoft Graph Security API Demo App that is subscribed to our provider. To enable applications to subscribe to Palo Alto Networks alerts via the Graph, we did the following:

  1. Register this demo provider with the Microsoft Security Graph.
  2. Microsoft Graph Security API Demo App subscribes to notifications from our provider.
  3. When new alerts are available, our demo provider will send a webhook notification to the Microsoft Demo App.
  4. After receiving the notification that new alerts are available, Microsoft Demo App will query our provider to retrieve the security alerts.

What’s Next?

Microsoft and Palo Alto Networks are working together to help our customers better defend against increasingly sophisticated attacks. In fact, we are one of the founding members of the Microsoft Intelligent Security Association. We are partnering across multiple teams and products to share alerts and threat intelligence to enable faster detection, remediation, and prevention so your organization can stay ahead of these attacks. The proofs of concept demonstrated here at RSA are just the first steps in our collaboration.

Stop by the Microsoft booth, #3501, in the Moscone North Exhibit Hall to view these demos in action, and you can learn more about Palo Alto Networks just a few feet away at booth #3715. You can also learn more information about the Microsoft Graph Security API by following this link.

[Palo Alto Networks Research Center]

What the Skills Shortage Means for Existing Cybersecurity Practitioners

By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.

Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.

Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.

However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.

What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”

Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.

In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?

Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.

First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily …  but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.

Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.

As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that.

Ed Moyle, Director of Thought Leadership and Research, ISACA

[ISACA Now Blog]

Digital Transformation Gets Easier When Security Just Works

When I ask customers what they like about Palo Alto Networks, their answer is consistent: it just works. They can operate efficiently and prevent successful cyberattacks. Our Security Operating Platform is built for automation – it has to be easy to operate if we’re going to help our customers achieve digital transformation.

You may not recognize the name “Security Operating Platform” because we have recently changed it from “Next-Generation Security Platform.” We feel this new name better reflects its unique value. The components of the platform are integrated, making it easy to operate and automate manual tasks.

In my last blog post, I noted that the hardest part of digital transformation isn’t deciding on vendors or deploying new technologies, but instead getting people to think differently and change how they work. One of the recommendations shared, based on what I’ve been hearing for months now in my time spent with our customers and partners, is that organizations should bring stakeholders together and out of their silos to create cross-functional teams.

Whether we call these teams “agile” or something else, this mode of working requires support from a platform that can automate workflows, meet compliance and provide consistent enforcement across network, cloud and endpoints. If the technology is not designed to support workflow across the environment, it is not going to support these cross-functional teams.

We continue to expand the platform and add automation. A decade ago, we invented the Next-Generation Firewall, enabling organizations to adopt security best practices using app-, user- and content-based policies and applying a Zero Trust approach throughout. We added cloud-based security services for threat detection and prevention in what we call our first evolution. These services use the next-generation firewalls as sensors and for automated enforcement. In our second evolution, we extended the platform to include endpoint and cloud security. The security services integrate with the cloud and endpoint security to share intelligence and automate enforcement.

Now, in our third evolution, we have further extended our automated approach to ecosystem partners. Innovative apps developed by us, by third parties, or by your own teams, can access a security data set that is specific to your environment, as well as access shared threat intelligence. The apps can monitor, detect and report on threats, automate workflows, and meet compliance. As threats evolve, we believe automation and analytics that work across cloud, network and mobile devices are required to detect and stop sophisticated attacks.

We’ll see you at RSA Conference this week and hopefully at our Ignite ’18 Security Conference next month, where we’ll be celebrating disruption and digital transformation. I look forward to hearing from you – come experience our Security Operating Platform for yourself.

[Palo Alto Networks Research Center]

Two Steps to a Robust Security Culture

By Kwinton Scarbrough, CISSP

In the midst of the business and technology merge, organizations of all industries have started their journey into the cognitive era of cybersecurity. In this era, it is essential for a business to have an IT security strategy to govern how the organization will protect itself from internal and external cyber threats. However, what commonly fails to align to IT security strategy is the organization’s overall security culture. IT security strategy can only be effective if there is a strong security culture embedded into the very fabric of the company’s operations. Today, I will cover the two core components for building a robust security culture, to maximize the effectiveness of the IT security strategy.

An organization’s security culture is comprised of the mindset and habits of employees, as it relates to IT security. Habits that are intended to prevent and protect against internal and external threats are, unfortunately, not always unified for the greater good of the organization. Many times, different siloed habits are formed within individual business units based on the easiest route to achieve the task at hand (e.g.: using shared accounts, instead of unique individual accounts or using privileged accounts to perform simplistic tasks). Within an organization that lacks a mature IT security strategy, employees are more likely to naturally learn and follow what is perceived to be the path of least resistance to accomplish a task. They then continue to pass these learned, non-compliant, methods on to other employees within that business unit. Eventually, it becomes the mindset of that business unit as the only way to accomplish that task because – as I’m sure you’ve heard before – “ that’s the way we’ve always done it.” Building a strong security culture will encourage employees to question the norm if something doesn’t seem quite right.

Every organization is unique and will have its own security culture. Throughout my consulting experience I’ve come to find the state of the security culture depends on two factors: (1) well defined security policies, processes and procedures; and (2) exceptional communication about the adoption of those security policies, processes and procedures. To have a strong security culture, these two factors must be coordinated and implemented together as one has little to no lasting effect without the other.

Define a Security Policy

A security culture begins with a well-defined and properly enforced security policy. The development and enforcement of a security policy starts at the very top of the leadership pyramid and reflects down to the junior level employee. In defining a security policy, the first step is to understand the business environment and its threat landscape. An organization’s security policy should

  • Define the baseline security requirements
  • Define the requirements that meet or exceed the industry and regulations requirements
  • Align to the risk appetite of the organization

While a well-defined security policy should be clear and strictly enforced, it should not, however, dictate how each business unit must operate to comply with the requirements. Meaning the policy should be separate from the procedures. While the security requirements should be clearly defined, a strong security culture will allow for each individual business unit to determine an optimal method for incorporating these requirements into their own business operations. The ideal security policy should be seamlessly integrated into employee day-to-day thinking and decision making to ensure a secure mode of operations for all business units. The security culture should unify the organization by allowing all business units to work together, while operating in loosely-coupled coordination to provide an optimal level of protection against internal and external threats. For an organization as a whole, the goal is to create centralized policies that can be incorporated into the daily process and procedures for all business units within an organization. An organization with a strong security culture has employees that understand cybersecurity and the importance of making the necessary operation adjustments to comply with defined security requirements.

Communicate and Train Secure Habits

The communication of security requirements and security awareness go hand and hand in building a strong security culture. More communication brings more awareness and with more security awareness, individual employees are more likely to incorporate security into their day-to-day thinking and decision making. As a result, security becomes thoroughly embedded into the mindset and work habits of each employee therefore creating a strong security culture.

However, communicating the security requirement is not as straightforward as defining the security policy. To effectively communicate security policies, the communication tactics should be tailored to the target audience based on analyzed behavior, their current security understanding and preferred communication style. The goal is to effectively communicate, to each business unit, why it is necessary to follow the organization’s security policies. Better communication of the purpose and reasoning for security policies, will help to build a strong security culture through the elimination of decentralized execution of centralized policies. To take security maturity one step further, organization should also provide security awareness training. This training should serve the purpose of eliminating nonconformist habits, by bringing awareness and competence to better, more secure habits.

Conclusion

Clearly defined and communicated centralized security policies will allow an organization to enforce organization-wide security requirements. Each business unit will understand the importance of security, while having the freedom to create and establish optimal operations within well-defined boundaries.

[(ISC)² Blog]

Data Breach Preparation and Response in Accordance With GDPR

Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.

The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).

GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.

So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What type of personal data breaches exist?

  • Confidentiality breach
  • Availability breach
  • Integrity breach

It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.

Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.

Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as:

  • Loss of control over their personal data or limitation of their rights
  • Discrimination
  • Identity theft or fraud
  • Financial loss

What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:

  1. The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
  2. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  3. The controller shall document any personal data breaches.
  4. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.

How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.

First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

Below is a data breach response plan quick checklist to help with this preparation:

Information to be included Yes/No Comments
What a data breach is and how staff can identify one    
Clear escalation procedures and reporting lines for suspected data breaches    
Members of the data breach response team, including roles, reporting lines and responsibilities    
Details of any external expertise that should be engaged in particular circumstances    
How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions    
An approach for conducting assessments    
Processes that outline when and how individuals are notified    
Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted    
Processes for responding to incidents that involve another entity    
A record-keeping policy to ensure that breaches are documented    
Requirements under agreements with third parties such as insurance policies or service agreements    
A strategy identifying and addressing any weaknesses in data handling that contributed to the breach    
Regular reviewing and testing of the plan    
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan    


Recommendations on next steps:

An effective data breach response generally follows a four-step process — contain, assess, notify and review:

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
  3. Notify individuals and the Commissioner if required. If the breach is an “eligible data breach” under the NDB scheme, it may be mandatory for the entity to notify.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.

Editor’s noteISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.

Laszlo Dellei, MBA,CISA, CGEIT, CRISC, C|CISO

[ISACA Now Blog]

English
Exit mobile version